A larger proportion of cyberattacks in the first half of 2019 can be attributed to electronic criminals (eCrime adversaries) compared to state-sponsored or unidentified attacks. CrowdStrike, a cybersecurity company that provides the CrowdStrike Falcon endpoint protection platform, observes that 61% of targeted cybersecurity campaigns in the first half of 2019 were sourced from eCrime adversaries, compared to 39% from other sources.
Technology was the top vertical market targeted by cyber-attacks in the first half of the year
CrowdStrike Falcon Overwatch platform
The eCrime portion more than doubled since 2018, reflecting an escalation of criminal players in search of more and larger payouts. The trend is among the information presented in CrowdStrike’s Overwatch 2019 Mid-Year Report: Observations from the Front Lines of Threat Hunting. Falcon OverWatch is the CrowdStrike-managed threat hunting service built on the CrowdStrike Falcon platform.
Technology was the top vertical market targeted by cyber-attacks in the first half of the year, followed by telecommunications and non-governmental organisations (including think tanks). Other targets (in decreasing order) were retail, financial, manufacturing, transportation and logistics, gaming, entertainment and engineering. Hospitality disappeared from the list so far this year, although Crowdstrike expects an increase in intrusions aimed at the hospitality industry to put it back in the top 10 by the end of the year.
Intrusion adversaries
In terms of intrusion adversaries, the top players so far in 2019 are Spiders (eCrime) and Pandas (China). Regarding initial access techniques, the most common remain, in order of prevalence, valid accounts, spear-phishing and exploitation of public-facing applications.
2009 is proving to be an active year with a significant increase in eCrime and the inter-relationships occurring across different groups as they strengthen their organisations, forge alliances and expand their footprint.
Need for a proactive security posture
Basic hygiene form the foundation for a strong cybersecurity program
Many of the techniques used by eCrime actors are easily defensible through strong security products and a proactive security posture, says CrowdStrike, which recommends the following measures to help maintain strong defense in 2019:
- Be attentive to basic hygiene such as user awareness, asset and vulnerability management, and secure configurations, which form the foundation for a strong cybersecurity program.
- User awareness programs can combat the continued threat of phishing and related social engineering techniques.
- Asset management and software inventory ensures that an organisation understands it footprint and exposure.
- Vulnerability and patch management can verify that known vulnerabilities and insecure configurations are identified, prioritised and remediated.
- Multifactor authentication (MFA) should be established for all users because today's attackers are adept at accessing and using valid credentials.
- A robust privilege access management process will limit the damage adversaries can do if they get in and reduce the likelihood of later movement.
- Implementing password protection prevents disabling or uninstalling endpoint protection that provides critical prevention and visibility for defenders.
Countering sophisticated cyber attacks
As sophisticated attacks continue to evolve, enterprises face more than a "malware problem"
As sophisticated attacks continue to evolve, enterprises face more than a "malware problem." Defenders should look for early warning signs that an attack may be underway, such as code execution, persistence, stealth, command control and lateral movement within a network.
Contextual and behavioral analysis, when delivered in real time via machine learning and artificial intelligence, effectively detects and prevents attacks that conventional "defense-in-depth" technologies cannot address.
"1-10-60 rule" in combating advanced cyber threats
CrowdStrike recommends that organisations pursue a "1-10-60 rule" in order to effectively combat sophisticated cyberthreats. That is, they should seek to detect intrusions in under one minute; to perform a full investigation in under 10 minutes, and to eradicate the adversary from the environment in under 60 minutes.
A source at CrowdStrike said "Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action."